Many ways exist to gather and analyze packet traces on iOS devices. Applications such as Charles Proxy, mitmproxy, Burp, etc. allow for a proxy setup. In this article, I will show how to capture packets with standard macOS tooling.

Apple added the remove virtual interface (RVI) facility in iOS 5. RVI lets you use macOS packet trace tools to capture traces from an iOS device.

Step 1: Connect the iOS device to your Mac via an Apple lightning USB cable.

Step 2: Setup an RVI for the device. The virtual network interface to your Mac will be setup during this step.

Step 3: Run your favorite macOS packet trace app. You will specify the RVI created in step #2.

You will need the UDID of your connected device. Location your UDID in Xcode (Windows->Devices and Simulators). The Identifier label displays the UDID. Copy the value by highlighting it, control-clicking, and selecting the Copy option. You can use iTunes to copy the UDID as well.

Start a Terminal session to create a bash shell.

Let’s list the current network interfaces on the Mac.

$ ifconfig -l
lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0

You should see something comparable to the interfaces listed above.

The rvictl command will set up an RVI. Run man rvictl to show usage. Our example UDID will be 0e6074aa45494b89b4b4984820fe1168. Execute the following:

$ rvictl -s 0e6074aa45494b89b4b4984820fe1168
Starting device 0e6074aa45494b89b4b4984820fe1168 [SUCCEEDED]

An updated list of the network interfaces to display the created remote virtual interface.

$ ifconfig -l
lo0 gif0 stf0 en0 en1 p2p0 fw0 ppp0 utun0 rvi0

In this example, rvi0 is the name of the remove virtual interface.

We can use standard tools to capture a packet trace from the RVI.

$ sudo tcpdump -i rvi0 -w trace.pcap

Log packets with other applications such as Burp and wireshark as well.

When you wish to remove the RVI run the following command:

$ rvictl -x 0e6074aa45494b89b4b4984820fe1168

Keep in mind. This works for HTTP traffic and not for TLS/SSL traffic. We will cover sniffing TLS traffic another time.